b'                              -   *-   -   " ~Lull--   ---              .lUI              -4   ru   a   rlyA     IgjUU Z\n\n\n JEf 1325.8\n  (6-89)\nEFG (07.90)\n\n\nUnited States Government                                                                            Department of Energy\n\n\nMemorandum\n          DATE:     SEP 2 2 2003\n     REPLY TO:      IG-34 (A03TG049)                                           Audit Report No.: OAS-L-03-21\n      sueJEcT:      Evaluation of "The Federal Energy Regulatory Commission\'s Cyber Security Program-2003"\n              TO:   Chairman, Federal Energy Regulatory Commission\n\n\n                    The purpose of this report is to inform you of the results of our evaluation of the\n                    Federal Energy Regulatory Commission\'s (Commission) cyber security program. The\n                    evaluation was initiated in July 2003, and our fieldwork was conducted through\n                    September 2003. Our methodology is described in the attachment to this report.\n\n                    INTRODUCTION AND OBJECTIVE\n\n                    As with other Federal organizations, the Commission is increasing its focus on the\n                    electronic delivery of information and services and plans to spend $27 million in Fiscal\n                    Year (FY) 2003 on information technology to support its energy markets mission. As\n                    required by the President\'s Management Agenda, the Commission recently began a\n                    series of initiatives to. develop and implement web-based applications to improve the\n                    energy regulatory process and streamline internal activities. These networked systems\n                    increase the risk that sensitive and critical data could be compromised or lost as various\n                    applications are accessed through the Internet. Increasingly, "hackers" attempt to\n                    exploit vulnerabilities and corrupt valuable government information technology\n                    resources.\n\n                    In response to the continuing threat to Federal information resources, Congress enacted\n                    the Federal Information Security Management Act (FISMA) in 2002 to ensure that all\n                    organizations develop and maintain adequate cyber security controls to protect\n                    information resources. As required by FISMA, the Office of Inspector General\n                    performed an independent evaluation to determine whether the Commission\'s\n                    unclassified cyber security program protected data and information systems.\n\n                    CONCLUSIONS AND OBSERVATIONS\n\n                    The Commission had made significant progress in resolving weaknesses reported\n                    during our 2002 evaluation. However, we observed that plans for maintaining or\n                    resuming critical operations in the event of an emergency or disaster had not been\n                    completed.\n\n                    -We found that the Commission had developed a comprehensive process for tracking\n                    and reporting the status of all previously identified cyber security weaknesses. We also\n\x0c                  --                          .                        -   ruz   VPA        WU03\n\n\n\n\n                                             2\n\n\nnoted that the Commission had taken the following action to correct several weaknesses\nidentified in 2002:\n\n      * The roles and authorities of the Chief Information Officer were clarified to\n        include the development and implementation of a Commission-wide cyber\n         security protection program;\n      * The Commission required all of its employees to receive cyber security\n        awareness training. Furthermore, a core curriculum was developed for the\n        individuals with significant security responsibilities;\n      * Several configuration management weaknesses were addressed, including\n        maintaining current software updates, correcting the configuration of remote\n        access and file transfer services, and correcting system server configurations to\n        restrict unauthorized access; and,\n      * The Management, Administrative and Payroll System application was upgraded\n        to enforce strengthened password policies.\n\nSince our evaluation did not reveal new weaknesses and the Commission continues to\nmake progress on correcting remaining problems, we made no new recommendations.\nWe appreciate the cooperation of your staff. No res    e is required to this report.\n\n\n\n                                           Rickey   . Hass, Director\n                                           Science, Energy, Technology,\n                                             and Financial Audits\n                                           Office of Audit Services\n                                           Office of Inspector General\n\nAttachment\n\ncc:       Executive Director, FERC\n          Chief of Staff, DOE\n          Chief Information Officer, DOE\n\x0c                                                                             Attachment\n\n\n\nSCOPE AND METHODOLOGY\n\nWe performed our evaluation between July and September 2003. Our evaluation was\nprimarily focused on the results of the Commission\'s corrective actions during FY 2003\nto address previously identified weaknesses. In addition, we reviewed the\nCommission\'s progress in implementing its plan of action and milestones (POA&M)\nprocess.\n\nWe satisfied our objective by reviewing applicable laws and regulations pertaining to\ncyber security and information technology resources and reviewing the Commission\'s\noverall cyber security program management policies, procedures, and practices. In\naddition, we reviewed the Commission\'s corrective actions and their results to address\npreviously reported weaknesses from prior cyber security evaluations. The review was\nperformed in conjunction with the annual audit of the Department\'s Consolidated\nFinancial Statements, utilizing work performed by KPMG LLP, the Office of Inspector\nGeneral contract auditor. Their review included analysis and testing of general and\napplication controls for systems and a review of system configurations in order to\nfollow up on the status of previously reported weaknesses.\n\nWe evaluated the Commission\'s implementation of the Government Performance\nResults Act of 1993 related to the establishment of performance measures for cyber\nsecurity. We did not rely solely on computer-processed data to satisfy our objectives.\nBecause our review was limited, it would not have necessarily disclosed all internal\ncontrol deficiencies that may have existed at the time of our review.\n\nThe review was conducted in accordance with generally accepted Government auditing\nstandards for performance audits and included tests of internal controls and compliance\nwith laws and regulations to the extent necessary to satisfy the objectives. We held an\nexit conference with the management on September 16, 2003.\n\x0c                                       -"                    "*---"\n                                                                 I      n    ui\'              -.   .UiUKS k1V1YA          1A005\n\n\n\n\n                                     U. S. Department of Energy Office of Inspector General\n\n\n\n\n                                                                                              FY03 IT Security Spending\nBureau Name                                                                                    ($ In thousands)\n\n(No IG response required for this question)\n\n\nAgency Total\n\x0c__--_________   -____\n                  ___ __   .   __   __      i   u              v     ~     Lt^IJVIYni                -4 rurnO rIVEA                  19006\n\n\n\n\n                                         U. S. Department of Energy Office of Inspector General\n                      Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                                                                                       FY03 Contractor\n                                                                                                        Operations or\n                                                                     FY03 Prorams     FY03 Systems        Facilities\n                                                                    Total  Number   Total   Number   otal      Number\n                                                                    Number Reviewed Number Reviewed Number     Reviewed\n     Bureau Name\n     Federal Energy Regulatory Commission (FERC)\n\n\n    Agency Total                                                                                                              0\n\n\n    b. For operations and assets under their control, have agency\n    program officials and the agency CIO used appropriate\n    methods (e.g., audits or inspections, agreed upon IT security\n    requirements for contractor provided services or services\n    provided by other agencies) to ensure that contractor\n    provided services or services provided by another agency for\n    their program and systems are adequately secure and meet\n    the requirements of FISMA. OMB policy and NIST guidelines,\n    national security policy, and agency policy?                            yes\n                                                                    National Institute of Standards and Technology (NIST) 800-26\n                                                                    Security Self Assessment Guide for Information Technology (IT)\n    c. If yes, what methods are used? If no, please explain why.    Systems. Office of Inspector General (OIG) follow-up review.\n     . Did the agency use the NIST self-assessment guide to\n    conduct Its reviews?                                                    Yes\n    e. If the agency did not use the NIST self-assessment guide\n    and instead used an agency developed methodology, please\n    confirm that all elements of the NIST guide were addressed In\n    the agency methodology.                                                 N/A\n\n    f. Provide a brief update on the agency\'s work to develop an    FERC completed its system Inventory and has a total of 64 IT\n    Inventory of major IT systems.                                  systems.\n\x0c                             - -*                     .\xc2\xbbVIu                                 -\xc2\xbb ruta    ME vA                 L00OO7\n\n\n\n\n                             U. S. Department of Energy Office of Inspector General\n               Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                                                         FY03 Material Weaknesses\n                                                              Total Number                                      POA&Ms\n                                                Total         Repeated from Identify and Describe Each Material developed?\n                                               Number             FY02                  Weakness                   Y/N\nBureau Name\n\n\nFERC                                              0                 0\n\n\nAgency Total                                      0                 0        _\n\x0c                 -       .iuii\n                       -UMb                                         *_\'--*n--                   ---   riVEA       IajUUd\n\n\n\n\n                                       U. S. Department of Energy Office of Inspector General\n                     Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\nAgency program officials develop, implement, and manage the plan of action and\nmilestones (POA&M) for every system that they own and operate (systems that\nsupport their programs) that has an IT security weakness.                                   X\n\nAgency program officials report to the Chief Information Officer (CIO) on a regular\nbasis (at least quarterly) on their remedlation progress.                                   X\nAgency CIO develops, implements, and manages POA&Ms for every system that\nthey own and operate (systems that support their programs) that has an IT\nsecurity weakness.                                                                          X\n\nThe agency CIO centrally tracks and maintains all POA&M activities on at least a\nquarterly basis.                                                                            X\nThe POA&M Is the authoritative agency and IG management tool to Identify and\nmonitor agency actions for correcting Information and IT security weaknesses.               X\nSystem-level POA&Ms are tied directly to the system budget request through the\nIT business case as required In Office of Management and Budget (OMB) budget\nguidance (Circular A-11) to ie the justification for IT security funds to the budget\nprocess.                                                                                                      X\nAgency IGs are an Integral part of the POA&M process and have access to\nagency POA&Ms.                                                                              X\n\nThe agency\'s POA&M process represents a prioritizatlon of agency IT security\nweaknesses that ensures that significant IT security weaknesses are addressed In\na timely manner and receive, where necessary, appropriate resources.                        X\n\x0c              \xc2\xb7- \xc2\xb7----   _-   ~\n                              -----   \xc2\xb7\xc2\xb7   ~I~I   uslvl                   ,rU~b       rCIVEA                   ig) 00\n\n\n\n\n              U. S. Department of Energy Office of Inspector General\nIndependerit Evaluation of FERC Unclassified Information Security - 2003\n\n                                                              The Commission\'s Cyber Secudty Action\n                                                              Plan sets forth roles and responsibilities for\n                                                              the cyber security program and the Federal\n                                                              Information Security Management Act of\n                                                              2002 (FISMA). Program elements are\n                                                                responsible for implementing cyber security\n                                                              policy. The CIO has responsibility for\n                                                              program monitoring, oversight, and\n                                                              enforcement.\n\n                                                              No.\n\n                                                              The Cyber Security Action Plan includes\n                                                              cyber security provisions applicable to all of\n                                                              the Commission\'s Information systems,\n                                                              including systems In the development and\n                                                              maintenance phase. However, the\n                                                              Commission has not established any\n                                                              performance measures or metrics that\n                                                              would ensure the security plan is practiced\n                                                              throughout the lifecydcle of the system.\n\n\n                                                              During the reporting period, the\n                                                              Commission approved a site-wide Cyber\n                                                              Security Action Plan. However, Individual\n                                                              systems do not have cyber security plans.\n\n\n                                                              No, the agency did not fully Integrate its IT\n                                                              security program with its critical\n                                                              Infrastructure protection responsibilities.\n                                                              Work is ongoing in this area. The\n                                                              Commission does not currently have an\n                                                              approved continuity of operations plan or\n                                                              tested disaster recovery plans.\n\n                                                              No, the agency does not have separate\n                                                              staff devoted to other security programs.\n                                                              There is minimal duplication of costs or\n                                                              effort within the Commission\'s various\n                                                              security programs. It is a small agency\n                                                              and some individuals do have multiple\n                                                              responsibilities.\n\x0c                                      -   _--   -A-           ...    iIuII                         -*   frUKSMbIVA               Il   010\n\n\n\n\n                                    U. S. Department of Energy Office of Inspector General\n                                                                                  - 2003\n                 Independent Evaluation of FERC Unclassified Information Security\n\n\n\n\na. Has the agency fully Identified Its national critical operations and assets?               NA\nb. Has the agency fully identified the Interdependencles and Interrelationships of those\nnationally critical operations and assets?                                                    NA\n\nc. Has the agency fully Identified Its mission critical operations and assets?               Yes\n\nd. Has the agency fully Identified the interdependencies and Interrelationships of those\nmission critical operations and assets?                                                                          No\ne. Ifyes, describe the steps the agency has taken as a result of the review.\n                                                                                           While the Cdmmission had identified\n                                                                                           all of Its ITsystems, it had not fully\n                                                                                           identified Interdependencies and\n                                                                                           Interrelationships of mission critical\n                                                                                           operations and assets because work\n                                                                                           on the Continuity of Operations Plan Is\nf. If no, please explain why.                                                              not complete.\n\nNA = Not applicable because FERC has no national critical operations or assets.\n\x0c.-.      .-      --.\n                 -----           ..   \xe2\x80\x9e      Uf                     \xc2\xb1o\xc2\xb1l   i    uis\n                                                                                 \'                       F\n                                                                                                     *KURS       F1 VEA             1o011\n\n\n\n\n                                            U. S. Department of Energy Office of Inspector General\n                          Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                                                                 The Director for Security, Systems Assurance & Information\n      a. Identify and describe the procedures for external reporting to law      Management (SSA&IM) coordinates computer security\n      enforcement authorities and to the Federal Computer Incident Response      efforts within the agency and coordinates with law\n      Center (FedCIRC).                                                          enforcement authorities and FedCIRC.\n      b. Total number of agency components or bureaus.\n      c. Number of agency components with incident handling and response                                     1\n      capability.\n      d. Number of agency components that report to FedCIRC.                                                 1\n\n      e. Does the agency and its major components share incident information                                 Yes\n      with FedCIRC in a timely manner consistent with FedCIRC and OMB\n      guidance?\n      f. What is the required average time to report to the agency and FedCIRC                        Close of Business\n      following an Incident?\n      g. How does the agency, including the programs within major              While FERC\'s Cyber Security Action Plan briefly discusses\n      components, confirm that patches have been tested and Installed in a     patches and FERC has a flowchart for the patch process,\n      timely manner?                                                            FERC\'s IT documentation does not provide detailed\n                                                                               procedures on monitoring or confirming the timely\n                                                                               installation of security patches.\n\n      h. Is the agency a member of the Patch Authentication and Distribution\n      Capability operated by FedCIRC?                                                 Yes\n\n      I. If yes, how many active users does the agency have for this service?                                3\n      J. Has the agency developed and complied with specific configuration\n      requirements that meet their own needs?                                         Yes\n      k. Do these configuration requirements address patching of security\n      vulnerabilities?                                                                Yes\n\x0c       ~______________________________________\n              -. -FURS                                    "\'_             I                          kY1VEA             IJulz\n\n\n\n\n                               U. S. Department of Energy Office of Inspector General\n               Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                                      Number of incidents reported      Number of Incidents reported\nBureau Name        Number of Incidents reported       externally to FedCIRC             externally to law enforcement\n\n\nFERC                             762.976                              7                                 0\n\x0c.......      -\n             ............         .....                                 I-.                         * ruKS     l\'iVtJA             LffU1\n                                                                                                                                    ,\n\n\n\n\n                                     U. S. Department of Energy Office of Inspector General\n                   Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                             d. Number                 f. Number of      g. Number of\n                          c. Number of       of systems                systems with      systems for                     I. Number of\n                          systems            that have    e. Number    security          which security h. Number of     systems for\n                          assessed for       an up-to-    of systems   control costs     controls have systems with      which\n                          risk and           date IT      certified    integrated into   been tested      a              contingency\n                          assigned a level   security     and          the life cycle    and evaluated contingency       plans have\n                b. Total  or risk            plan         accredited   of the system     in the last year plan           been tested\n a. Bureau      Number of  No. of   % of\n Name           Systems   Systems Systems     No.   %      No.   %       No.     %        No.       %    No.       %      No.     %\n\n\n FERC              64        59       92      0     0      0     0       0       0              1   1    0         0       0      0\n\n\n\n Agency Total      64        59       92      0     0      0     0       0       0         1        1    0         0       0      0\n\x0c                          _ *   --          -         -IVC.IUII   "-                                 -.   kUf(b   i\'IVEA             1014\n\n\n\n\n                                     U. S. Department of Energy Office of Inspector General\n              Independent Evaluation of FERC Unclassified Information Security - 2003\n\n\n\n\n                                                      ow does the agency      Has the agency CIO          Do agency POA&Ms\nHas the agency CIO      Did the CIO evaluate the    CLO ensure that bureaus   appointed a senior          account for all known\nmaintained an agency-   performance of all agency   comply with the agency-   agency information          agency security\nwide IT security        bureaus/components?         wide IT security          security officer per the    weaknesses Including all\nprogram? Y/N            Y/N                         program?                  requirements In FISMA?      components?\n\n                                                    The Executive Director\n                                                    centrally manages cyber\n          Y                            Y            security.                            Y                           Y\n\x0c                                                        w\n                                                       ---       L- AL\n                                                                    -  **     w\n                                                                             IUI                  -*   riU1sM VlEA                   IJU015\n\n\n\n\n                                   U. S. Department of Energy Office of inspector General\n                                                             Information Security - 2003\n                 Independent Evaluation of FERC Unclassified\n\n\n\n\n                                                     Agency employees with\n                                                     significant security\n                                  T ot a l u m b r                                                                        Total costs for\nTotal     Ag     e                      "      e o   responsibilities that\nnumber of         IT security          significant   received specialized                                                 providing\n           ageny I trainin\n                    FY03\n                    FY03          w\n                                  security-----      trann                                                                training in\naencyy\'in\n                                                     Number           Percentage Briefly escribe training provided        FY-3\nIn Y03     Number    Percentage   responsiblitles\n\n                                                                                   Office of Personnel Management\n                                                                                   Online Learning Karta library for IT\n                                                                                   security and IT technical employees.\n                                                                                   Also, the Commission has In-house\n                                                                                   FISMA and NIST assessment\n                                                                            87     training.                                  $14,000\n              1032        78                  8              7\n   1,316\n\x0c                            U.S. Department of Energy Office of Inspector General\n                                                                                  Security - 2003\n               Independent Evaluation of FERC Unclassified Information\n\n\n\n\n                                   Did the agency program offical       Did the agency CIO plan and        Are   IT security costs\n                                   plan and budget for IT security      budget for IT security and          reported In the agencys\n            Number of business\n            cases submitted to     and Integrate security into all of   Integrate security into all of their exhibit 53 for each IT.\n                                   their business cases? Y/N            business cases? Y/N                  Investment? Y/N\nBureau Name OMB In FY05\n\n\n                                                                                                        Yes. However, in one\n                                                                                                        Instance FERC is reporting\n                                                                                                        an IT Investment In a\n                                                                        Yes. However,  one of the       system owned by another\n                                   Yes. However, one of the\n                                                                        business cases did not show     agency. FERC does not\n                                   business cases did not show\n                                   evidence of budgeting for cyber      evidence of budgeting for cyber show any IT security costs\n             3 Submitted to OMB\n             on September 9, 2003. security.                            security.                       for this Investment\nFERC\n\x0c'